[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Simultaneous session limits and duplicate detection
On Thu, Mar 08, 2007 at 02:46:34PM -0800, Bernard Aboba wrote:
> Alper Yegin said:
> "RADIUS does not talk about 1, does not properly mandate 2a...
> If we decide to go with 2a, we need to fix RADIUS spec. Meanwhile, can
> assume all of the current RADIUS implementations are already supporting
> so that in the absence of 1 and 2b EAP works well?"
> [BA] Yes, I think we can assume this. Alan's proposed language will
I hit this issue in testing couple of years ago when EAP-SIM tests
were failing if NAS re-transmitted the Access-Request quickly. In other
words, the RADIUS server was not doing duplicate detection.. Since then,
this particular implementation has added support for duplicate
detection, but I believe it can be disabled in configuration and there
has been discussion on some deployments doing that in order to avoid
issues with large number of requests (more than 256 per the duplicate
window of couple of seconds, i.e., more than the number of unique
The Issues & Fixes document Section 2.1.2 talks about how a combination of
the EAP Identifier, source IP address and State attribute can be used to
enable each EAP session to have its own unique Identifier space. If handled
this way, there would not be a tradeoff between duplicate elimination and
restrictions on the number of simultaneous sessions that can be handled.
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.